FW: [Openswan Users] OpenSwan AH only

Luis Rodrigues luis.rodrigues at netgraf.com
Wed Sep 15 11:33:00 CEST 2004

Anyway, I've found this on the mailing list, and it's kind of my problem.
Sometimes the draytek Vigor 2600 marks the tunnel as up, and i can't get any
traffic trough the tunnel. The only solution is to shut down the router for
a couple of minutes and turn it on again.

If i use draytek to draytek VPN's, the problem stays the same, unless i use
AH only.

Dear Paul Wouters,

Thanks for your feedback.
We are so glad to hear this good news from you.
Our RD staffs will implement this issue into the released firmware for all
Vigor's routers in future.
As the re-key problem, we will test and fix it before released. 

Best regards,
Sam Hu
FAE Department / Draytek Corp.
DrayTek: for Vigorous Broadband Access

Paul Wouters <paul at xtdnet.nl> wrote:

> On Mon, 23 Aug 2004, DrayTek Support wrote:
> > Dear Paul Wouters,
> >
> > Here is the beta firmware to add multi-tunnels function for Vigor2600G
on the 
> attachment.
> > Please upgrade it and kindly share the result with us.
> > Note, this beta firmware has been authenticated this function only.
> Your beta-firmware image is working flawlessly!
> We now have two tunnels up from the Vigor to an Openswan server and
traffic is 
> flowing
> over both tunnels!
> Will you be also updating the vigor 2500's with this bugfix? Since most of
> Vigor models are actually the 2500 (annex A and B) and the 2500Ge models.
> The other problem I reported about the failing rekeying was also found. it
> that
> the webinterface doesn't always update all the changes you make when there
> a popup
> involved. So we ended up having some weird tunnel that started from the
> end
> using ESP and at rekey time the Vigor wanted to negotiate AH only.
Openswan incorrectly
> marked the ESP tunnel as "up" while it was endlessly failing to rekey over
> channel.
> Thanks to Draytek for the great support on this issue!
> Paul

-----Mensagem original-----
De: Paul Wouters [mailto:paul at xelerance.com] 
Enviada: terça-feira, 14 de Setembro de 2004 20:23
Para: Luis Rodrigues
Cc: users at openswan.org
Assunto: Re: [Openswan Users] OpenSwan AH only

On Tue, 14 Sep 2004, Luis Rodrigues wrote:

> I only have one question: Is it possible to use only the AH auth, and no
> ecrypt?

Yes, you can specify: auth=ah

If using KLIPS, you need to make sure it has been compiled with AH support. 
We recently started shipping the default KLIPS configuration without AH

> Tihs is very important to me, because i would like to use a router as a
> remote VPN site, and it has some problems with ESP.

Obviously the proper way to fix this is to replace that device. You can also
try and tweak its configutation a bit so that its bug doesn't get triggered.
For instance, with Watchguard, you can work around a bug in the ESP MD5
HMAC by only offering SHA1. Something similar might be possible for your
router, so you can keep encrypting your VPN (and not turn it into a Virtual
Public Network).

ps. netgraf as in BSD's netgraf? I hope that is not the device in question?

More information about the Users mailing list